CAMP Med

Building a Health Information Infrastructure to Support HIPAA

Gary De Clute, IT Policy Consultant,UW-Madison, Division of Information Technology

Richard Konopacki, Network Group Manager,UW-Madison, Medical School

Copyright © 2005 University of Wisconsin Board of Regents. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Contact Gary De Clute, gdeclute@doit.wisc.edu or Richard Konopacki, konopacki@waisman.wisc.edu.

2

CAMP Med

Brief Overview of HIPAA

• HIPAA is the “Health Insurance Portability and Accountability Act of 1996”

• Two major parts: Insurance reformAdministrative simplification

3

CAMP Med

Insurance Reform

• Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.Limits “preexisting condition” exclusionsProhibits discriminationGuarantees availabilityGuarantees renewability

4

CAMP Med

Administrative Simplification

• Title II of HIPAA is “administrative simplification”

• Grew by accretion and now includes several parts:+ Transaction and Code Set Standards+ Identifier Standards+ Privacy Standards+ Security Standards

5

CAMP Med

Transaction and Code Sets

• Titled: “Health Insurance Reform: Standards for Electronic Transactions”

• “...adopts standards for eight electronic transactions and code sets to be used in those transactions...”

• Published by HHS in the Federal Register on August 17th, 2000.

6

CAMP Med

Identifier Standards

• Employer identifier, Published, May 31st, 2002, effective July 30th, 2004*

• Provider identifier, Published, Jan. 23rd, 2004, effective May 23rd, 2007 *

• Health plan identifier, (under development)

* All except “small health plans”

7

CAMP Med

Privacy Regulation

• Titled: “Standards for Privacy of Individually Identifiable Health Information”

• “...to protect the privacy of individually identifiable health information...”

• Proposed rule was published for comment on Nov. 3rd, 1999

• Received 52,000 comments, many from individual consumers

8

CAMP Med

Privacy Regulation

• Final rule was published on Dec. 28th, 2000

• Afterward there were concerns about:

“...unintended negative effects of the Privacy Rule on health care quality or access to health care, and... unintended administrative burdens...”

9

CAMP Med

Privacy Regulation

• Congress passed a law to extend the deadline for implementation

• ‘Revised’ final rule published onAugust 14th, 2002

• Deadline for implementation for all except “small health plans” was April 14th, 2003

10

CAMP Med

Security Regulation

• Proposed security rule was published by HHS for comment on Aug. 12th, 1998

• Of note: Proposed privacy rule was published for comment on Nov. 3rd, 1999, a year later.

• There was recognition that security is necessary to protect privacy

• It was a good thought...

11

CAMP Med

Security Regulation

• Proposed security regulation was extensive and complex.

• Caused much concern and confusion.

• Took a long time to resolve.

• In the final regulation, the responses to the comments are important in understanding what is intended.

12

CAMP Med

Security Regulation

• Final security regulation was published onFebruary 20th, 2003.

• Was much simpler. Sigh of relief.

• Compliance required by April 20th, 2005.

• But... the privacy rule deadline was April 14th, 2003 (just two months away!)

• How to assure privacy without security???

13

CAMP Med

Security Regulation

• The solution at UW-Madison was to have each unit of the “health care component” produce transition plans describing how the security regulation would be implemented and how security would be maintained in the interim

• Do the best we can

• Show due diligence

14

CAMP Med

Health Care Component (HCC)

• A hybrid organization is one in which some units are under HIPAA and some are not.

• For a hybrid organization, the units to which HIPAA applies are in the “health care component” (HCC).

15

CAMP Med

Security Regulation Organization

• There are administrative, physical and technical “safeguards”.

• There are 18 “standards”, some of which have multiple “implementation specifications”

• There are 42 implementation specifications.• Each implementation specification is either,

“required” or “addressable”.

16

CAMP Med

Required Safeguards

• the regulators state that these are “...so basic that no covered entity could effectively protect electronic protected health information without implementing them”

“When a standard includes required implementation specifications, a covered entity must implement the implementation specifications”

17

CAMP Med

Required Safeguards

• In the “general rules” of the regulation, the following applies to all safeguards:

“Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications...”

18

CAMP Med

Addressable Safeguards

• Addressable does not mean “not required”.

“When a standard includes addressable implementation specifications, a covered entity must--

(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and

19

CAMP Med

Addressable Safeguards

(ii) As applicable to the entity-- (A) Implement the implementation specification if

reasonable and appropriate; or (B) If implementing the implementation

specification is not reasonable and appropriate-- (1) Document why it would not be reasonable and

appropriate to implement the implementation specification; and

(2) Implement an equivalent alternative measure if reasonable and appropriate.”

20

CAMP Med

Reasonable or Appropriate

• Everything one does for compliance with HIPAA should be “reasonable or appropriate”

• That includes both required and addressable safeguards

21

CAMP Med

Required vs. Addressable

• The options selected for implementation of required safeguards need to fall within the scope of the actual language of the regulation for that safeguard

• The options selected for addressable safeguards can fall outside the scope of that language, but only if complying with the actual language would not be “reasonable or appropriate”

22

CAMP Med

HIPAA Increases Risk

• Why aren’t we already employing such best practices?

• There is always a trade off between cost and risk.

• Best practices are difficult (expensive).

• HIPAA increases risk. How?

• The new risk is from audits, lawsuits, and criminal prosecutions

23

CAMP Med

Two Distinct Problems

• How to further mitigate the existing risk posed by attackers, thieves, etc.

• How to mitigate the new risk posed byaudits, lawsuits and prosecutions.

24

CAMP Med

Striking a Balance

• How to focus on the primary problem (attackers, thieves) without neglecting the secondary problem (audits, lawsuits?)

25

CAMP Med

Good News!

• The security regulation is based on best practices

• It asks us to do what we ought to be doing anyway in order to protect sensitive information

• The exception is some HIPAA-specific paperwork

26

CAMP Med

General Solution: Risk Assessment

• What are the threats (probabilities?)

• What are the vulnerabilities (probabilities?)

• What of value are we protecting (impact on privacy, reputation, time, money?)

Risk = threats X vulnerabilities X values

27

CAMP Med

Risk Assessment Inventory

• Originally intended to help units of the HCC at Wisconsin to create their transition plan for reaching compliance.

• Measures compliance with the security regulation.

• Shows where improvement is needed. Demonstrates the start of due diligence.

• Also shows where we’re doing well.

28

CAMP Med

Risk Assessment Inventory

• Instructions are to “Grade” compliance on each safeguard using an A to F scale.

• A’s, B’s and C’s are where we are doing well.

• Work on the D’s and F’s first. That’s where we’re probably not doing something “reasonable or appropriate”.

• The net effect is that additional best practices get implemented in those places where they are needed the most.

29

CAMP Med

Risk Assessment Inventory

• At Wisconsin, the information security folks were ecstatic when they realized HIPAA would have that effect

• From a information security perspective, HIPAA is not a distraction, it’s an opportunity

30

CAMP Med

Risk Assessment InventoryOverview

The model of a unit of the HCC. What are: technical assets, physical sites,

and administrative subunits. How to identify a HCC unit's physical sites

and administrative subunits.

31

CAMP Med

Risk Assessment InventoryProcess

The process of filling out the instrument. The suggested grading scale. The need for a descriptive narrative. Some criteria for prioritizing risks. Delivery instructions.

32

CAMP Med

Risk Assessment InventoryInstructions

A description of the four sheets which form the actual inventory.

Descriptions of the fields found on each of those sheets.

How to score risks on each sheet.

33

CAMP Med

I. HCC Unit Names of the HCC Unit, Physical Site(s) and Admin Subunit(s)

II. Tech Assets Inventory of technical assets (servers, networks, workstations, peripherals, portables, and applications)

III. Phys Site(s) Inventory of physical sites, (server rooms, office buildings, utility closets, etc.)

IV. Admin Subunit(s)

Inventory of administrative subunits (different departments, research centers, etc.)

34

CAMP Med

HIPAA Security Safeguards

• Summary is on the sheet labeled ‘HIPAA Security Regs’ (last one in the workbook)

• Uses some actual language from the security regulation.

• One must read more, however, to understand what the regulators are really getting at, (in particular: the definitions, and the comments and responses.)

35

CAMP Med

‘HIPAA Security Regs’

• Standards:

“Security Management ProcessImplement policies and procedures to prevent, detect, contain, and correct security violations.”

36

CAMP Med

‘HIPAA Security Regs’

• Section (Sec.)

“164.308(a)(1)”

• Implementation

“Risk Analysis (R)”

37

CAMP Med

‘HIPAA Security Regs’

• Definition

“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the covered entity.”

38

CAMP Med

‘HIPAA Security Regs’

• Possible Grading Scale for Required Safeguards

A. RA completed. Risks fully prioritized and follow up actions scheduled.

B. RA completed. Risks not yet prioritized and follow up actions not scheduled.

C. RA started but not completed. Top risk areas identified.

D. RA planned and method being developed.F. RA not started

39

CAMP Med

Parting Thought

The HIPAA security regulation is only really asking us to do what we ought to be doing anyway in order to protect sensitive information.

It is not a distraction, (unless we get distracted!) It is an opportunity for improvement.

40

CAMP Med

References

http://www.cms.hhs.gov/hipaa/

http://wiscinfo.doit.wisc.edu/policy/hipaa/